cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

368
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

FTD 6.2.2 Remote Access VPN certificate issue

Hi.

I'm working on Cisco ASA FTD 6.2.2 Remote Access VPN. I have an internal test domain (xinmix.local) and a test MS Certificate Authority server. Based on the docs on Internet I've created specific certificate template on CA server to use it with SCEP cert enrollment. I finished cert enrollment process with SCEP and it is displayed as Available. But the problem is when I want to use HTTPS on the external client toward the FTD external-facing interface, browsers don't let me to open the page saying the certificate is invalid and issued to the "Firepower" (which is hostname of my ASA FTD device). Please notice that it's not the same error normally we see while using non-public certificates (like custom and self-generated certificates), which we can proceed to the page despite the certificate. Instead they say an intermediate root CA is missing and then prevents me to proceed to the web page. I tested it with 4 different browsers and none of them allowed me in.

error-certifiacte2.png

This is what I got on the browser. Any idea?

I'm looking for a good document about managing the certificates on FTD, cause the Cisco documents don't have details and explanation of what they intended to do and are just like "click on this, paste your cert, finish the process,..." which is not good and enough for learners. 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: FTD 6.2.2 Remote Access VPN certificate issue

You need to follow the remote access SSL VPN wizard in FMC to initially assign the available certificate to your outside interface.

 

If you already have it created and want to change the certificate, edit the VPN (Devices > VPN > Remote Access and click the pencil icon to the right of the relevant VPN listing) and go under the Access Interfaces tab. Edit the interface(s) and select the new Trustpoint (e.g. certificate). Save and deploy and you should see the proper certificate now presented to your clients.

 

If no interface identity certificate is configured then the "SSL Global Identity Certificate" will be used. that's most likely what you have in place currently.

 

 

2 REPLIES 2
Hall of Fame Master

Re: FTD 6.2.2 Remote Access VPN certificate issue

You need to follow the remote access SSL VPN wizard in FMC to initially assign the available certificate to your outside interface.

 

If you already have it created and want to change the certificate, edit the VPN (Devices > VPN > Remote Access and click the pencil icon to the right of the relevant VPN listing) and go under the Access Interfaces tab. Edit the interface(s) and select the new Trustpoint (e.g. certificate). Save and deploy and you should see the proper certificate now presented to your clients.

 

If no interface identity certificate is configured then the "SSL Global Identity Certificate" will be used. that's most likely what you have in place currently.

 

 

Enthusiast

Re: FTD 6.2.2 Remote Access VPN certificate issue

Actually I believed that the Global Identity Certificate would be used anyway, but don't know why it didn't. I assigned the same identity certificate to that access interface on Access Interfaces tab and then the web page appeared. Thank you for this great help.